>I have an excel file that I am trying to prove was >opened on a file server and copied directly to the >a:drive of a computer I am examining. Just out of curiousity, do you have the diskette from the A:\ drive? > The excel file >was found in slack space on the computer. The >metadata shows it was copied to the a:drive but does >not indicate the time and date. The network logs are >not available. Does anyone have any ideas or >understand how to decipher the metadata? The time and >date of the file xfer is critical to my case. When you say that the Excel file was found in the slack space, is it's structure as a file? Or some sort of binary memory image? If it's a file, even a temporary file, perhaps you can determine the MAC times from the file. Also, check the \temp directory for any images that may exist there. A couple of quick questions that may assist us in helping you... 1. What platform was this information retrieved from? Win98/ME? NT/2K? 2. How was it retrieved? Linux 'dd'? EnCase? 3. What platform and tools are you using to conduct your analysis? ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Oct 13 2001 - 19:14:15 PDT